Ask Lemmy
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected].
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try [email protected] or [email protected]
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
view the rest of the comments
What makes it impossible? Why would any given instance maintainer be responsible for the data on someone else's instance? Would it not fall on the GDPR requester to make that request of each individual instance?
The requester can have no idea where his data ended up. That's why the admin who receives the data is responsible for who he gives it to. And he also has to forward the delete request to whoever he gave it to.
Otherwise, customers of an online service that sells their data would have to request deletion from everyone who bought it, which is impossible cause they don't know who that is.
The regulation was written to give people more control over their data, but it has no provision for something like federation, and it also doesn't allow for a "do whatever you want with my data" box the users could check.
The regulation was written to give private users control over what big corporations can do with their data. It doesn't fit for non-commercial (but also not private) use by a loose group of admins. But legally, it still applies.
So then if someone requests that Gmail delete all their email data, is Google then responsible for making sure any emails sent out from it's server to another is also deleted from those external servers?
Just in case you guys are wondering, there’s probably dozens of us enjoying the fuck out of this conversation. Thank you for asking questions I wouldn’t think of asking. On behalf of all three of us lurking.
Lol yeah this is great.
I really want to hear the answer to this
I don't have the answer but I think of it like this.
Email is essentially a direct conversation between you and someone in the same room but you may extend (cc) to those people in the house. There is an implicit "I am including you in the conversation"
Lemmy on the other hand is more akin to talking to someone in a crowded bar but the conversation is recorded and anyone over the world has the ability to listen to the conversation at any given time.
Apples and oranges.
Interesting perspective, but then cannot we consider that Lemmy users are aware that they are including all of the Fediverse in their conversation? That way Lemmy instances could be treated in the same way email providers are
See https://gdpr-info.eu/issues/right-to-be-forgotten/
Once the "controller has made the personal data public", they have legal obligations. Gmail doesn't make my data public, generally.
Hm, I see. A shortcoming of the law, when they probably did not imagine something such as Lemmy or Mastodon happening. By the way, how does Mastodon deal with that? They've been around for much longer
I checked Mastodon briefly. It appears they are currently not in compliance. There are open issues on GitHub, but nothing looks close.
Interesting, thanks!
But the controller is not making the data public. The user is.
See https://gdpr-info.eu/issues/right-to-be-forgotten/
Once the "controller has made the personal data public", they have legal obligations. When you send an email, you are not making it public.
Essentially yes, it's called the Right to Erasure or the Right to be Forgotten. If the user is in a country that adheres to GDPR and the company controlling the data operates in a country that also uses GDPR, then that right applies.
The only reason Google/Gmail wouldnt delete (or wouldn't be able to delete) some of your data would be if they had a lawful or legitimate basis for holding onto it.
I can't think of a reason Google would give for hanging on to your data but that doesn't mean there isn't one, but they'd have to notify you of that reason as part of their response to your request.
Making money is not a requirement for the GDPR to apply. Neither is being based or hosting in the EU.
In fact, the example the EU provides on their site is of a company that offers free services (and is based outside of the EU):
https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
Don't allow users from the EU to sign up? Is that your plan?
Seems to be the plan for an increasing number of social media companies. As far as Lemmy is concerned, if it and other related services get killed, that just drives us underground to the darknet and the old tried and true chat services still being used there. As the old saying goes, can't stop the signal, and every empire falls to ruin eventually. We'll see how long it takes for Rome to crumble this time.
Wouldn't it be easier to fix the delete federation bug so Lemmy could comply with GDPR ?
Yeah, but if you don't have any assets in the EU for them to seize, and if you're not present in the bloc yourself it doesn't matter for shit. They have no jurisdiction or ability to enforce unless you really, really want to operate inside of their market at scale.
See https://gdpr-info.eu/issues/right-to-be-forgotten/
Once the "controller has made the personal data public", they have legal obligations.
Yes, but "the controller" is one instance, and it's certainly easy for one instance to allow a user to be forgotten. You can purge the user from the instance. Then they are forgotten, as far as the instance is concerned.
As an example, just because someone makes a GDPR request on YouTube to delete a video, does not require Google to actually remove the video from the whole internet. There are plenty of websites that archive content which are unaffected by that GDPR request. It's the exact same thing with different Lemmy instances, just because you ask lemm.ee to delete your content does not mean that lemmy.world needs to delete your content.
The GPDR doesn't require Lemmy to remove personal data from the entire internet. But when a Lemmy instance gives data to other Lemmy instance, there are legal responsibilities.
https://gdpr-info.eu/art-17-gdpr/ Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
==========
Maybe this is open to interpretation, but I feel that the same Federation protocol that federates out my personal data (my posts and comments), should also federate out my delete requests. I'm unsure why this would be controversial.